Some mobile POS devices still affected by critical flaws months after patch

Security researchers demonstrated that they can completely compromise such devices by using programmable smart cards

MWR InfoSecurity researchers Jon Butler and Nils presenting mobile POS flaws at Black Hat USA 2014

MWR InfoSecurity researchers Jon Butler and Nils presenting mobile POS flaws at Black Hat USA 2014

Security researchers demonstrated Thursday flaws that can allow hackers to take over mobile point-of-sale (mPOS) devices from different manufacturers by inserting rogue cards into them.

Despite a patch being available since April, some devices remain vulnerable.

Jon Butler, the head of research at MWR InfoSecurity and one of his colleagues who prefers to be known only as Nils, have investigated six of the most popular mPOS devices available on the market that support the EMV (Chip-and-PIN) standard, they said at the Black Hat security conference in Las Vegas.

These devices have a small screen, a smart card reader and a PIN input pad. They run a Linux-based OS and communicate via Bluetooth with mobile payment apps installed on smart phones.

The MWR researchers found that despite looking different on the outside, 75 percent of the devices they tested were based on the same underlying platform.

In some devices they found vulnerabilities in the firmware update mechanism that allowed them to execute commands as root. They also found a stack-based buffer overflow vulnerability in the certified EMV parsing library that allowed them to take complete control over all devices using a specially programmed smart card.

The manufacturers of the devices were not named because some are still likely vulnerable.

To demonstrate that they can gain complete control over the screen and input pad of such a device, the researchers used a rogue card to install and run a game similar to Flappy Bird on one of them.

In a practical attack scenario, a fraudster could go into a store that uses such devices, claim to buy something, input his rogue card into a device and compromise it with code that would capture the card details and PINs of customers who later use it, the researchers said. The attacker or an associate could later return with a different card to extract the information.

Attackers would not be able to clone the chip of EMV cards, but it would be possible to clone the rest of the card information and use the resulting counterfeit card together with the captured PIN in a country that doesn't use the EMV standard.

The vulnerability was reported to the platform vendor, who was surprisingly cooperative and released a patched version of the EMV library in April, the researchers said. The process was not straight-forward because the new library had to go through the EMV certification process again, which highlights the fact that such standards do not allow for timely security updates, they said.

Despite most of the affected devices having remote firmware update capabilities, some vendors have not yet released updates containing the patched EMV library. Nils said that he is aware of at least one vendor who hasn't pushed updates to its customers yet. He doesn't know the status of all devices, because for some of them they didn't create merchant accounts in the first place that would give them access to updates.

The researchers have not yet fully investigated all attack vectors, but they believe it could also be possible to compromise mPOS devices from a smart phone infected with malware. In at least one case they found issues with a vendor's mobile application that suggest such an attack is possible.

It might also be possible to attack the smart phone from a compromised mPOS device and then upload the captured data over the phone's Internet connection. However, testing this could affect the vendor's back-end systems, so because of legal reasons the researchers didn't look further into it.

Despite the issues found, Butler thinks that mobile POS devices like the ones his team tested have the potential to be more secure than traditional POS devices. They're simple devices and there's not much that can go wrong if the implementation is done right, following security best practices.

One of the advantages they have is that they are theoretically easy to update. The vendor can push an update through the mobile app which then pushes it to the paired mPOS device over Bluetooth. The updates are digitally signed, so they cannot be tampered with.

However, vendors should stop viewing chip-enabled cards as part of a trusted system, Butler said. It's not like every card that can be inserted into one of these devices has been freshly issued by a bank, he said.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags black hatsecurityMWR InfoSecuritydata protectionmalwarefraud

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?